Merge pull request #1 from stevespringett/master

update

alpine/src/main/java/alpine/AlpineServlet.java

@@ -60,12 +60,12 @@ public class AlpineServlet extends ServletContainer {
      */
     @Override
     public void init(ServletConfig config) throws ServletException {
-        LOGGER.info("Starting " + Config.getInstance().getProperty(Config.AlpineKey.APPLICATION_NAME));
+        LOGGER.info("Starting " + Config.getInstance().getApplicationName());
         super.init(config);
 
         final Info info = new Info()
-                .title(Config.getInstance().getProperty(Config.AlpineKey.APPLICATION_NAME) + " API")
-                .version(Config.getInstance().getProperty(Config.AlpineKey.APPLICATION_VERSION));
+                .title(Config.getInstance().getApplicationName() + " API")
+                .version(Config.getInstance().getApplicationVersion());
 
         final Swagger swagger = new Swagger()
                 .info(info)
@@ -129,7 +129,7 @@ public void init(ServletConfig config) throws ServletException {
      */
     @Override
     public void destroy() {
-        LOGGER.info("Stopping " + Config.getInstance().getProperty(Config.AlpineKey.APPLICATION_NAME));
+        LOGGER.info("Stopping " + Config.getInstance().getApplicationName());
         super.destroy();
     }
 

alpine/src/main/java/alpine/Config.java

@@ -38,10 +38,12 @@ public class Config {
     private static final Logger LOGGER = Logger.getLogger(Config.class);
     private static final String ALPINE_APP_PROP = "alpine.application.properties";
     private static final String PROP_FILE = "application.properties";
-    private static final String INTERNAL_VERSION_PROP_FILE = "alpine.version";
+    private static final String ALPINE_VERSION_PROP_FILE = "alpine.version";
+    private static final String APPLICATION_VERSION_PROP_FILE = "application.version";
     private static Config instance;
     private static Properties properties;
-    private static Properties internalVersionProperties;
+    private static Properties alpineVersionProperties;
+    private static Properties applicationVersionProperties;
 
     public interface Key {
 
@@ -59,9 +61,6 @@ public interface Key {
     }
 
     public enum AlpineKey implements Key {
-        APPLICATION_NAME         ("application.name",                 "Unknown Alpine Application"),
-        APPLICATION_VERSION      ("application.version",              "0.0.0"),
-        APPLICATION_TIMESTAMP    ("application.timestamp",            "1970-01-01 00:00:00"),
         WORKER_THREADS           ("alpine.worker.threads",            0),
         WORKER_THREAD_MULTIPLIER ("alpine.worker.thread.multiplier",  4),
         DATA_DIRECTORY           ("alpine.data.directory",            "~/.alpine"),
@@ -108,9 +107,9 @@ public static Config getInstance() {
             instance = new Config();
             instance.init();
             LOGGER.info(StringUtils.repeat("-", 80));
-            LOGGER.info("Application: " + instance.getProperty(AlpineKey.APPLICATION_NAME));
-            LOGGER.info("Version:     " + instance.getProperty(AlpineKey.APPLICATION_VERSION));
-            LOGGER.info("Built-on:    " + instance.getProperty(AlpineKey.APPLICATION_TIMESTAMP));
+            LOGGER.info("Application: " + instance.getApplicationName());
+            LOGGER.info("Version:     " + instance.getApplicationVersion());
+            LOGGER.info("Built-on:    " + instance.getApplicationBuildTimestamp());
             LOGGER.info(StringUtils.repeat("-", 80));
             LOGGER.info("Framework:   " + instance.getFrameworkName());
             LOGGER.info("Version :    " + instance.getFrameworkVersion());
@@ -154,15 +153,25 @@ private void init() {
             LOGGER.error("A fatal error occurred loading application properties. Please correct the issue and restart the application.");
         }
 
-        internalVersionProperties = new Properties();
-        try (InputStream in = this.getClass().getClassLoader().getResourceAsStream(INTERNAL_VERSION_PROP_FILE)) {
-            internalVersionProperties.load(in);
+        alpineVersionProperties = new Properties();
+        try (InputStream in = this.getClass().getClassLoader().getResourceAsStream(ALPINE_VERSION_PROP_FILE)) {
+            alpineVersionProperties.load(in);
         } catch (IOException e) {
-            LOGGER.error("Unable to load " + INTERNAL_VERSION_PROP_FILE);
+            LOGGER.error("Unable to load " + ALPINE_VERSION_PROP_FILE);
         }
-        if (internalVersionProperties.size() == 0) {
+        if (alpineVersionProperties.size() == 0) {
             LOGGER.error("A fatal error occurred loading Alpine version information. Please correct the issue and restart the application.");
         }
+
+        applicationVersionProperties = new Properties();
+        try (InputStream in = this.getClass().getClassLoader().getResourceAsStream(APPLICATION_VERSION_PROP_FILE)) {
+            applicationVersionProperties.load(in);
+        } catch (IOException e) {
+            LOGGER.error("Unable to load " + APPLICATION_VERSION_PROP_FILE);
+        }
+        if (applicationVersionProperties.size() == 0) {
+            LOGGER.error("A fatal error occurred loading application version information. Please correct the issue and restart the application.");
+        }
     }
 
     /**
@@ -171,7 +180,7 @@ private void init() {
      * @since 1.0.0
      */
     public String getFrameworkName() {
-        return internalVersionProperties.getProperty("name");
+        return alpineVersionProperties.getProperty("name");
     }
 
     /**
@@ -180,7 +189,7 @@ public String getFrameworkName() {
      * @since 1.0.0
      */
     public String getFrameworkVersion() {
-        return internalVersionProperties.getProperty("version");
+        return alpineVersionProperties.getProperty("version");
     }
 
     /**
@@ -189,7 +198,34 @@ public String getFrameworkVersion() {
      * @since 1.0.0
      */
     public String getFrameworkBuildTimestamp() {
-        return internalVersionProperties.getProperty("timestamp");
+        return alpineVersionProperties.getProperty("timestamp");
+    }
+
+    /**
+     * Returns the Application component name.
+     * @return the Application name
+     * @since 1.0.0
+     */
+    public String getApplicationName() {
+        return applicationVersionProperties.getProperty("name", "Unknown Alpine Application");
+    }
+
+    /**
+     * Returns the Application version.
+     * @return the Application version
+     * @since 1.0.0
+     */
+    public String getApplicationVersion() {
+        return applicationVersionProperties.getProperty("version", "0.0.0");
+    }
+
+    /**
+     * Returns the Application built timestamp.
+     * @return the timestamp in which this version of the Application was built
+     * @since 1.0.0
+     */
+    public String getApplicationBuildTimestamp() {
+        return applicationVersionProperties.getProperty("timestamp", "1970-01-01 00:00:00");
     }
 
     /**

alpine/src/main/java/alpine/auth/KeyManager.java

@@ -112,7 +112,7 @@ public KeyPair generateKeyPair() throws NoSuchAlgorithmException {
         final KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
         final SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
         keyGen.initialize(4096, random);
-        return keyGen.generateKeyPair();
+        return this.keyPair = keyGen.generateKeyPair();
     }
 
     /**
@@ -126,7 +126,7 @@ public SecretKey generateSecretKey() throws NoSuchAlgorithmException {
         final KeyGenerator keyGen = KeyGenerator.getInstance("AES");
         final SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
         keyGen.init(256, random);
-        return keyGen.generateKey();
+        return this.secretKey = keyGen.generateKey();
     }
 
     /**

alpine/src/main/java/alpine/filters/AuthenticationFilter.java

@@ -21,6 +21,8 @@
 import alpine.auth.JwtAuthenticationService;
 import alpine.logging.Logger;
 import org.glassfish.jersey.server.ContainerRequest;
+import org.owasp.security.logging.SecurityMarkers;
+
 import javax.annotation.Priority;
 import javax.naming.AuthenticationException;
 import javax.ws.rs.Priorities;
@@ -60,7 +62,7 @@ public void filter(ContainerRequestContext requestContext) {
                 try {
                     principal = apiKeyAuthService.authenticate();
                 } catch (AuthenticationException e) {
-                    LOGGER.info("Invalid login attempt");
+                    LOGGER.info(SecurityMarkers.SECURITY_FAILURE, "Invalid API key asserted");
                     requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
                     return;
                 }
@@ -71,7 +73,7 @@ public void filter(ContainerRequestContext requestContext) {
                 try {
                     principal = jwtAuthService.authenticate();
                 } catch (AuthenticationException e) {
-                    LOGGER.info("Invalid login attempt");
+                    LOGGER.info(SecurityMarkers.SECURITY_FAILURE, "Invalid JWT asserted");
                     requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
                     return;
                 }

alpine/src/main/java/alpine/filters/BlacklistUrlFilter.java

@@ -0,0 +1,131 @@
+/*
+ * This file is part of Alpine.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License";
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) Steve Springett. All Rights Reserved.
+ */
+package alpine.filters;
+
+import org.apache.commons.lang3.StringUtils;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+/**
+ * BlacklistUrlFilter is a configurable Servlet Filter that can prevent access to
+ * specific URLs. The filter can either deny access or ignore access. Denials
+ * result in a HTTP 403 response whereas an ignore results in a HTTP 404 response.
+ *
+ * The filter may be used when specific files or directories should not be accessible.
+ * In the case of executable WARs, use of this filter is highly recommended since
+ * executable WARs must meet the requirements of both JAR and WAR files, thus placing
+ * compiled classes and their package structure inside the document webroot.
+ *
+ * Sample usage:
+ * <pre>
+ * &lt;filter&gt;
+ *   &lt;filter-name&gt;BlacklistUrlFilter&lt;/filter-name&gt;
+ *   &lt;filter-class&gt;alpine.filters.BlacklistUrlFilter&lt;/filter-class&gt;
+ *   &lt;init-param&gt;
+ *     &lt;param-name&gt;denyUrls&lt;/param-name&gt;
+ *     &lt;param-value&gt;/secretfolder&lt;/param-value&gt;
+ *   &lt;/init-param&gt;
+ *   &lt;init-param&gt;
+ *     &lt;param-name&gt;ignoreUrls&lt;/param-name&gt;
+ *     &lt;param-value&gt;/org,/com,/us,/javax&lt;/param-value&gt;
+ *   &lt;/init-param&gt;
+ * &lt;/filter&gt;
+ *
+ * &lt;filter-mapping&gt;
+ *   &lt;filter-name&gt;BlacklistUrlFilter&lt;/filter-name&gt;
+ *   &lt;url-pattern&gt;/*&lt;/url-pattern&gt;
+ * &lt;/filter-mapping&gt;
+ *
+ * </pre>
+ *
+ * @author Steve Springett
+ * @since 1.0.0
+ */
+public final class BlacklistUrlFilter implements Filter {
+
+    private String[] denyUrls = {};
+    private String[] ignoreUrls = {};
+
+    /**
+     * Initialize "deny" parameter from web.xml.
+     *
+     * @param filterConfig A filter configuration object used by a servlet container
+     *                     to pass information to a filter during initialization.
+     */
+    public void init(final FilterConfig filterConfig) {
+
+        final String denyParam = filterConfig.getInitParameter("denyUrls");
+        if (StringUtils.isNotBlank(denyParam)) {
+            this.denyUrls = denyParam.split(",");
+        }
+
+        final String ignoreParam = filterConfig.getInitParameter("ignoreUrls");
+        if (StringUtils.isNotBlank(ignoreParam)) {
+            this.ignoreUrls = ignoreParam.split(",");
+        }
+
+    }
+
+    /**
+     * Check for denied or ignored URLs being requested.
+     *
+     * @param request The request object.
+     * @param response The response object.
+     * @param chain Refers to the {@code FilterChain} object to pass control to the next {@code Filter}.
+     * @throws IOException
+     * @throws ServletException
+     */
+    public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain)
+            throws IOException, ServletException {
+
+        final HttpServletRequest req = (HttpServletRequest) request;
+        final HttpServletResponse res = (HttpServletResponse) response;
+
+        final String requestUri = req.getRequestURI();
+        if (requestUri != null) {
+            for (String url: denyUrls) {
+                if (requestUri.startsWith(url.trim())) {
+                    res.setStatus(HttpServletResponse.SC_FORBIDDEN);
+                    return;
+                }
+            }
+            for (String url: ignoreUrls) {
+                if (requestUri.startsWith(url.trim())) {
+                    res.setStatus(HttpServletResponse.SC_NOT_FOUND);
+                    return;
+                }
+            }
+        }
+        chain.doFilter(request, response);
+    }
+
+
+    /**
+     * {@inheritDoc}
+     */
+    public void destroy() {
+    }
+
+}